Adrian Chadd writes...
A couple of problems:
* Filtering ALL ICMP is pretty silly, ICMP is there for more than just pings, and some of it is important.
Such as MTU Discovery. If your customers try to go down a path where the MTU is smaller than what they are sending, and if their packets prohibit fragmentation, ICMP is the only way to inform their stack to reduce the size of the MTU. Otherwise they may failures ranging from intermittent to totality. Intermittent ones would often be seen when just a small amount of data sometimes gets through. For example, an HTTP request could be sent in a small packet, but posting a large form would not. How many tech support people would know that the ability to get a page and the inability to post a form could be caused by the customer's own ISP blocking ICMP network unreachable? So you need to leave "network unreachable" coming in. Ref: "TCP/IP Illustrated, Volume 1, The Protocols", by W. Richard Stevens See: page 340.
* If people start doing this, someone with a smidgen of time on their hands will write a ping flooder that uses random TCP or UDP packets with spoofed from addresses.
Already been done. I've had one of those for 4 years. The ultimate solution to network security was published a few months ago in the Dilbert series. -- Phil Howard | suck5it2@spammer8.edu end7it92@s0p0a2m0.com suck1it8@no6place.net phil | end3it30@no3where.edu stop7it1@dumb6ads.net ads6suck@no8where.com at | end6it68@noplace0.net die6spam@anywhere.org no1spam0@spam9mer.com milepost | no1way40@spammer0.org end2ads9@spammer2.com blow8me2@no3place.com dot | suck3it7@no62ads4.net no7spam7@noplace0.edu no7spam8@noplace1.net com | blow2me9@spammer0.com stop1659@anyplace.com crash345@lame2ads.com